Most of the techniques that we have seen so far in this book try to exploit some or the other vulnerability or design flaw on the server and gain access to it or extract information from its database. There are other kinds of attacks that use the server to exploit vulnerabilities on the user's software or try to trick the user to do something they wouldn't do under normal circumstances, in order to gain information the user possesses; these attacks are called client-side attacks.

In this chapter, we will review some techniques used by attackers to gain information from clients, be it by social engineering and deception or by exploiting software vulnerabilities.

Although it's not specifically related to web application penetration testing, we will cover them here because most of them are web based and it is a very common scenario that we are able to gain access to applications and servers when attacking a client. So, it is very important for a penetration tester to know how attackers behave in these attacks.